Killing Phish the Sumerian Way

Circa 3000 BCE – The Sumerian language is dead. Why? Because as it’s often said, a language is just a dialect with an army, and the army had long vanished. A thousand or so years earlier, however, Sumerian was the first language to have a written form, and Sumerians wasted no time in developing tools – elaborately carved cylinder seals – to authenticate messages written in clay.

Why? Perhaps because it was clear then (as it should be now) that the real target of message-based attacks is the mind of the reader, and authentication gives the reader at least some workable defense.

1967 – Imagine how Postmaster General Lawrence O’Brien felt at that Congressional hearing as he heard Oklahoma Congressman Tom Steed ask him: “Would this be a fair summary – that at the present time, as manager of the Post Office Department, you have… a staggering amount of no control in terms of the duties you have to perform?”

1982 – Internet Standard 10 (RFC 821), also known as SMTP, is published. Email, as we know it, becomes reality.

2015 – One out of every thousand emails, give or take, is a phishing ploy; one out of every 200 or so emails contains malware; at least 10 percent of these prying or malicious messages make it past spam filters, and that percentage is increasing as attackers gain sophistication.

In 2012, the bottom line is that 80,000 people every day fell for one of the ever-so-enticing embedded links to an infected server. Perhaps we’re late in aiming Tom Steed’s question at the creators of RFC 821.

As spear-phishing grows rapidly and adversaries mine social media for personal details of their targets, phishing (and malware) email attacks are becoming very effective against the mind of the reader. The problem is, the cost of a successful attack is much higher now than 6000 years ago – phishing is a prime gateway into your network for APTs that will haunt you for months, and exfiltrate millions of private records, even fingerprints.

How do you protect the mind of the reader today? Replace SMTP with a new and secure protocol? Let me know how that works out for you.

Require server proofs-of-work, use greylisting, or require micropayments for sending e-mail? Not gonna happen, or counterproductive, or both.

What if we just use SMTP and rely on its relatively new Sender Policy Framework? That might help at the server-to-server level, but it requires maintenance and there’s no standard for how SMTP servers respond to SPF check failures.

What if we rely on SMTP DMARC? Maybe someday, but DMARC isn’t widely supported by mail server configurations today, and for domains without DMARC records, you’re still on your own.

Even with SPF and DMARC, we’re left with the wrong abstraction: identifying bad servers rather than attack messages, defending domains rather than the minds of readers. That approach may be good for spam and bulk phishing, but not for spear-phishing and targeted malware.

Yes indeed, the authors of RFC821 (and its follow-on RFC5321) have left the postmasters of today with a staggering amount of no control over increasingly dangerous email.

So then… are we stuck with manually scrying each e-mail message we get? Perhaps, but mere mortals fall for phishing half the time. Last year at the RSA conference, a study showed that even experts can only identify phishing samples about two-thirds of the time.

Maybe ancient Sumerian can help. 6000 years have passed, but perhaps we could learn something from cylinder seal technology to defend the mind of the reader against phishing and malware e-mail attacks. It might work something like this:

Step 1

Sign here, please. We have the technology to digitally sign email. Many of us already use digital IDs from Verisign or Globalsign, for example. A digital signature accompanying a message proves that the message was sent by the owner of the private key used to sign it and the public key that can be used to check it.

The signature chain of the certificate for that key pair attests to the entity that owns those keys. That’s a start, but it doesn’t connect that entity to identities you know. (Side benefit. When each of us has a verifiably published public key, we get encryption basically for free, which is good because nobody is willing to pay for security).

Step 2

Here’s my card. Look me up. We also have the technology to connect the attested owner of those keys to identities we can recognize, to give a kind of non-interactive multi-factor authentication of the message sender: the sender’s return address is one factor, the certificate chain is another, and the connected identities are a third factor.

The new web service keybase.io allows you to see in real-time whether a published key is tied to a current identity you know and may trust, such as a Twitter or Github account or even a bitcoin address.

Estonia issues “digi-IDs” – a smartcard that contains two key pairs and a permanent email reflector address. Each cardholder is vetted by the Estonian government, and the IDs are verifiable through their web services. In fact, you don’t need to be a resident or citizen of Estonia to get one. That’s multi-factor authentication with vetting by a trusted third-party, and also includes email reach-back to the sender.

Step 3

Imagine a service based on digital signatures for email and connected, familiar identities. Now, imagine that it’s inexpensive and easy for anyone to use. Now, make your email client just a little bit smarter than it is today.

It verifies the certificate chain of each message’s digital signature, tracks down the authentications offered by keybase.io or e-estonia.com, ranks your messages by degree of trust in the sender’s identity, and verifies the return address. Armed with that knowledge, you can defend more easily against phishing and malware email. Best of all, there’s no need to change the current SMTP infrastructure.

It’s not a perfect imagined solution. Phishing spawned from compromised genuine user accounts will still get through, so there’s still some head-scratching to do when your authenticated buddy down the hall sends you a link to a site that you just have to check out.

But now at least you know which buddy to tell that he’s lost control of his credentials.

Emily Dickinson said that, “The possible’s slow fuse is lit by the imagination.” The Sumerians lit that fuse 6000 years ago, so let’s get on with defending the mind of the reader.

About the Author: David Archer is a Research Program Lead at Galois, Inc., where he directs research in computing on encrypted data, cryptography, and security-related provenance of data and computation. He holds a PhD in Computer Science from Portland State University (Portland, OR) as well as an MS in Electrical Engineering from the University of Illinois at Urbana-Champaign. Dr. Archer’s research interests also include cyber privacy and information assurance. Dr. Archer also has 25 years experience in processor and computer system design, and in leading large hardware and software product design teams at Intel Corporation and Mentor Graphics Corporation.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.